Community discussions

 
Kelly71eq2
just joined
Topic Author
Posts: 1
Joined: Mon Oct 29, 2018 7:03 pm

blocking ping/ICMP

Mon Oct 29, 2018 7:10 pm

Team,

I know this should be easy but I have a cold today and things just are not working as they should. I am getting some random DoS attacks and I think just turning on ICMP and blocking outside ping should be the easiest fix. The Source IP is jumping all over the place so I really cant make an array. I have been looking over the twiki for a hour and not finding what I need. I am running version 6.4 on my MT. Appreciate any help you can give me. Also is what I am pulling from the logs about the DoS

Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=183.224.14.237 DST=173.10.26.96 LEN=40 TOS=00 PREC=0x20 TTL=33 ID=31758 PROTO=ICMP TYPE=13 CODE=0 2018/10/25 13:24:31 Notice
Firewall[242]: DoS Attack - ICMP Flooding IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=183.224.14.237 DST=173.10.26.96 LEN=96 TOS=00 PREC=0x20 TTL=48 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=49220 SEQ=22543 2018/10/25 13:24:25 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=158.255.215.145 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=25 ID=3123 PROTO=ICMP TYPE=13 CODE=0 2018/10/24 12:36:22 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=213.183.56.106 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=15 ID=29788 PROTO=ICMP TYPE=13 CODE=0 2018/10/24 12:06:12 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=139.59.19.188 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=34 ID=44589 CE PROTO=ICMP TYPE=13 CODE=0 2018/10/24 09:54:35 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=159.65.198.141 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=33 ID=15535 PROTO=ICMP TYPE=13 CODE=0 2018/10/24 09:05:06 Notice
Firewall[242]: DoS Attack - Smurf Attack IN=erouter0 OUT= MAC=80:b2:34:4a:77:c7:00:01:5c:64:d8:46:08:00 SRC=128.199.146.150 DST=173.10.26.110 LEN=40 TOS=00 PREC=0x20 TTL=39 ID=48997 CE PROTO=ICMP TYPE=13 CODE=0 2018/10/24 08:41:52 Notice
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: blocking ping/ICMP

Tue Oct 30, 2018 6:29 am

If you are just wanting to block ICMP packets, simply do just that. Something like this:
add action=drop chain=input in-interface=e1_Internet protocol=icmp
Obviously you would have to edit this to have the in-interface = whatever your internet interface is (as opposed to my e1_internet).
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
User avatar
vecernik87
Long time Member
Long time Member
Posts: 642
Joined: Fri Nov 10, 2017 8:19 am

Re: blocking ping/ICMP

Tue Oct 30, 2018 8:10 am

incoming pings are common and do not necessarily mean it is DoS or DDoS. I have regularly
How do you recognize DoS attack? what are limits etc?

Also - what resource gets utilized most during the attack? Is it CPU? then dropping some packets might help but if it happens AFTER connection tracking (/ip firewall filter), it will still consume a lot of cpu. Only way to drop packets without consuming much cpu is using /ip firewall raw with chain=prerouting - that is the only ruleset which happens BEFORE connection tracking.
If the network is the most utilized resource, then dropping packets will not really help much because packets will still flow to you and utilize your network (possibly causing higher latency and packet loss)

Keep in mind, that if you block whole ICMP protocol, it might cause other issues (depends what kind of services you use)

In addition I would recommend to analyze it with /tool torch interface=YOUR_WAN_INTERFACE ip-protocol=icmp src-address=0.0.0.0/0 because that will show you how many kbps/pps belongs to each IP instead of neverending list of log entries
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: blocking ping/ICMP

Tue Oct 30, 2018 5:06 pm

Thanks vecernik87 for the longer answer. My short answer was courtesy of needing to get to bed :)
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
Note
newbie
Posts: 49
Joined: Fri Jun 03, 2016 12:39 pm

Re: blocking ping/ICMP

Wed Oct 31, 2018 11:43 am

icmp is needed and its not right to block all of them.

U can use some firewall filters in order to stop the attacks.

https://wiki.mikrotik.com/wiki/DDoS_Det ... d_Blocking

Who is online

Users browsing this forum: No registered users and 20 guests